Overview
Tomcat does not adequately validate HTTP requests and may reveal JSP source code if supplied a malformed HTTP request.
Description
JavaServer Pages (JSP) is a technology that allows for the creation of dynamic web content. The Apache Jakarta Project implementation of JSP is known as Tomcat. Tomcat does not enforce HTTP request syntax with regard to protocol name and version number. Furthermore, if a received HTTP request for a JSP is missing the protocol name and version number string (i.e. "HTTP/1.1"), Tomcat will serve the JSP source file instead of executing the file and serving the servlet output. |
Impact
Attackers may gain read access to JSP source code on the server. |
Solution
The CERT/CC is currently unaware of a practical solution to this problem. |
Vendor Information
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | ||
| Temporal | ||
| Environmental |
References
Acknowledgements
Thanks to Eric Daniel Mauricio for reporting this vulnerability.
This document was written by Shawn Van Ittersum and Jeffrey P. Lanza.
Other Information
| CVE IDs: | None |
| Severity Metric: | 4.80 |
| Date Public: | 2001-04-03 |
| Date First Published: | 2002-09-14 |
| Date Last Updated: | 2003-09-23 02:15 UTC |
| Document Revision: | 14 |